我们正在尝试做一些有登录屏幕的网站。但是我们有一个问题。我们的域名是localhost/Login/User。但是，如果用户进入localhost/Home/Index，他/她可以不登录就可以访问我们的主站点。所以我们写了[授权]给我们的索引控制器。但我找不到我必须使用的东西。我必须在我们的项目中使用AuthorizeAttribute吗？MVC身份验证控制器

#Login Page 
public class LoginController : Controller 
{ 
    //GET: Login 
    [IntranetAction] 
    public ActionResult Users() 
    { 
     return View(); 
    } 

    public ActionResult Authentication(UserLoginInfo loginInfo) 
    { 
     bool isAuthenticated = new LdapServiceManager().isAuthenticated(loginInfo); 


     if (isAuthenticated) 
     { 
      //AUTHORIZED 
      Session["userName"] = loginInfo.username; 
      return Redirect("/Home/Index"); 
     } 
     //WORNG PASSWORD, BACK TO LOGIN PAGE 
     TempData["message"] = "Yanlış kullanıcı adı ya da şifre"; 
     return Redirect("/"); 
    } 
}

索引页

[Authorize] 
public ActionResult Index() 
{ 
    Session["ip"] = Request.UserHostAddress; 
    if (IsDbExists()) 
    { 
     _contactList = new List<Contact>(); 
     UpdateOperations(); 
     return View(_contactList); 
    } 

    Response.Redirect("/Loading/LoadingScreen"); 
    return null; 
}

来源

2016-08-31 Berkin

如何我可以在我的LoginController /验证功能访问索引添加[使用AllowAnonymous]属性。我会添加另一个名为AuthController的控制器，它具有[AllowAnonymous]属性，因此用户无需实际登录就可以登录。

我通常会默认过滤所有控制器，并将[AllowAnonymous]属性添加到那些将被任何人访问的。

我用它来解决这个问题。

using System.Web.Mvc; 

namespace Test 
{ 
    public class FilterConfig 
    { 
     public static void RegisterGlobalFilters(GlobalFilterCollection filters) 
     { 
      filters.Add(new HandleErrorAttribute()); 
      filters.Add(new AuthorizeAttribute()); 
     } 
    } 
}

AuthController中[AllowAnonymous]属性的示例。

using System.Security.Claims; 
using System.Web; 
using System.Web.Mvc; 
using BusinessLogic.Services; 
using Common.Models; 
using Microsoft.AspNet.Identity; 
using Microsoft.Owin.Security; 

namespace Test.Controllers 
{ 
    [AllowAnonymous] 
    public class AuthController : Controller 
    { 
     private readonly IUsersService _usersService; 

     public AuthController(IUsersService usersService) 
     { 
      _usersService = usersService; 
     } 

     [HttpGet] 
     public ActionResult LogIn() 
     { 
      return View(); 
     } 

     [HttpPost] 
     public ActionResult LogIn(LoginModel loginModel) 
     { 
      if (!ModelState.IsValid) 
      { 
       return View(); 
      } 

      var isValid = _usersService.AuthenticateUser(loginModel); 
      if (isValid) 
      { 
       var identity = new ClaimsIdentity(new[] 
       { 
        new Claim(ClaimTypes.NameIdentifier, loginModel.Username), 
        new Claim(ClaimTypes.Name, loginModel.Username), 
       }, DefaultAuthenticationTypes.ApplicationCookie); 

       Request.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity); 

       return Redirect(GetRedirectUrl(loginModel.ReturnUrl)); 
      } 

      ModelState.AddModelError("", "Invalid credentials"); 
      return View(); 
     } 

     public ActionResult LogOut() 
     { 
      var ctx = Request.GetOwinContext(); 
      var authManager = ctx.Authentication; 

      authManager.SignOut("ApplicationCookie"); 
      return RedirectToAction("index", "home"); 
     } 

     private string GetRedirectUrl(string returnUrl) 
     { 
      if (string.IsNullOrEmpty(returnUrl) || !Url.IsLocalUrl(returnUrl)) 
      { 
       return Url.Action("index", "home"); 
      } 
      return returnUrl; 
     } 
    } 



}

引用这可能会帮助您： http://benfoster.io/blog/aspnet-identity-stripped-bare-mvc-part-1

https://softwareengineering.stackexchange.com/questions/284380/is-formsauthentication-obsolete

Role-based access control (RBAC) vs. Claims-based access control (CBAC) in ASP.NET MVC

https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet

来源

2016-08-31 12:19:59 ShrtTth